Rapid7 Vulnerability & Exploit Database

Apache Druid JNDI Injection RCE

Back to Search

Apache Druid JNDI Injection RCE

Disclosed
02/07/2023
Created
06/24/2023

Description

This module is designed to exploit the JNDI injection vulnerability in Druid. The vulnerability specifically affects the indexer/v1/sampler interface of Druid, enabling an attacker to execute arbitrary commands on the targeted server. The vulnerability is found in Apache Kafka clients versions ranging from 2.3.0 to 3.3.2. If an attacker can manipulate the sasl.jaas.config property of any of the connector's Kafka clients to com.sun.security.auth.module.JndiLoginModule, it allows the server to establish a connection with the attacker's LDAP server and deserialize the LDAP response. This provides the attacker with the capability to execute java deserialization gadget chains on the Kafka connect server, potentially leading to unrestricted deserialization of untrusted data or even remote code execution (RCE) if there are relevant gadgets in the classpath. To facilitate the exploitation process, this module will initiate an LDAP server that the target server needs to connect to in order to carry out the attack.

Author(s)

  • RedWay Security <info@redwaysecurity.com>
  • Jari Jääskelä <https://github.com/jarijaas>

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/apache_druid_cve_2023_25194
msf exploit(apache_druid_cve_2023_25194) > show targets
    ...targets...
msf exploit(apache_druid_cve_2023_25194) > set TARGET < target-id >
msf exploit(apache_druid_cve_2023_25194) > show options
    ...show and set options...
msf exploit(apache_druid_cve_2023_25194) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;